An unknown threat actor has been employing a “ complex and powerful” malware loader for deploying cryptocurrency miners on affected systems and possibly allowing the theft of Discord tokens.
“The evidence found on victim networks appears to indicate that the goal of the attacker was to install cryptocurrency mining software on victim machines,” researchers from the Symantec Threat Hunter Team, part of Broadcom Software, said in a report shared with The Hacker News.
“This would appear to be a relatively low-reward goal for the attacker given the level of effort that would have been required to develop this sophisticated malware.”
The sophisticated malware, called Verblecon, was first tracked in January 2021, and the payload had polymorphic qualities to avoid signature-based detections by security software.
Further, the loader further analyses the system to understand whether it’s being debugged or opened in a virtual or sandboxed environment before copying itself onto the machine and connecting to a remote server to fetch an encrypted blob that has a URL. The URL is used to get miner payloads.
“The activity we have seen carried out using this sophisticated loader indicates that it is being wielded by an individual who may not realize the capabilities of the malware they are using,” the researchers pointed out.
“However, if it fell into the hands of a more sophisticated actor the potential is there for this loader to be used for more serious attacks, including potential ransomware and espionage campaigns.”